An Apple iPhone user in the U.S. has sued LinkedIn over allegations that its app was reading the contents of an Apple device user’s clipboard without their knowledge.
The complainant, Adam Bauer, alleges that LinkedIn’s app, up until a recent update, was reading the information stored on the Universal Clipboard of Apple devices without notifying the user and that LinkedIn has, therefore, been spying on its users, as well as their nearby computers and other devices, and has been circumventing Apple’s Universal Clipboard timeout.
What Is The Universal Clipboard?
According to the Apple website, The Universal Clipboard feature allows users to “copy content such as text, images, photos, and videos on one Apple device, then paste the content on another Apple device”.
The Universal Clipboard works with any Mac, iPhone, iPad, or iPod touch (that meets Continuity system requirements) when devices are near each other and when the devices are signed in to iCloud with the same Apple ID, have Bluetooth, Wi-Fi and Handoff turned on.
Exposed By New Apple’s New Privacy Feature
It appears that the rolling out of a new iOS 14 privacy feature known as ‘paste notifications’ to developers exposed the problem. Paste notifications alerts a user with a “pasted from Messages” alert when text copied to the Apple clipboard is accessed by other apps. Developers soon noticed that not just LinkedIn, but 53 apps were frequently reading users’ clipboard content.
When developers raised the issue online, Microsoft LinkedIn’s Erran Berger (VP Engineering) explained in a Tweet on July 3rd that “We’ve traced this to a code path that only does an equality check between the clipboard contents and the currently typed content in a text box. We don’t store or transmit the clipboard contents.”
The next day, Mr Berger Tweeted “Update: we have released a new version of our app to the iOS App Store that removes this code.”
It appears, therefore, that Mr Bauer’s lawsuit is based upon something that was happening with LinkedIn, apparently due to code error, but which has now been fixed in an updated version of the LinkedIn app.
What Does This Mean For Your Business?
It appears that, had it not been for the recent addition of the ‘paste notifications’ security feature, LinkedIn and dozens of other apps would have carried on reading Apple device users’ clipboards, and therefore accessing potentially sensitive and personal data without users knowing or giving consent. Business users with Apple devices may, like Mr Bauer, be worried and angry that potentially sensitive information in terms of personal data e.g. customers and employees, or commercially sensitive data was potentially made vulnerable to those who were not authorised or given consent to access it. Although LinkedIn’s Mr Berger has said that the company hasn’t been storing or transmitting any of the clipboard data from users, it is still worrying that the fault may have existed some time unnoticed, and may eventually have been spotted and exploited by cybercriminals.